Hi

Hi

Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files.

To use Wepawet:

1.Upload a sample or specify a URL
2.Wait for the resource to be analyzed
3.Review the generated report

http://wepawet.iseclab.org/


Things you can do with Wepawet:
- Determine if a page or file is malicious
- wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or benign and provides you with information that helps you understand why it was classified in a way or the other.
- wepawet displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples. For example, it gives access to the unobfuscated malicious code used in an attack. It also collects the URLs accessed by a sample.
- wepawet does not just tell you that a resource is malicious, it also shows you the exact vulnerability (or, more likely, the vulnerabilities) that are exploited during an attack.

Yep, use it all the time here for pdf exploits where Wepawet will give any links to the payload exe.

Unfortunately, it's not always reliable (but what is!)

Recently, a drive-by attack served up the Zbot trojan. The page was a package, or kit, of 4 exploits, which Wepawet analyzed:

http://www.wilderssecurity.com/attachment.php?attachmentid=212548&thumb=1&d=1253942718

It showed the URLs for the first two. The PDF and SWF files cached and I hoped to see the same URLs in the code, since that is how most of these "kits" work.

Wepawet isn't giving dynamic analyis of some SWF files, so I couln't get the URL for the malware:

212578

It was identified by some AV as Trojan.SWF.Dropper!IK

Strangely, Wepawet showed the PDF file as benign, but it was the old Exploit/Win32.Pidief.

Most of the time, though, Wepawet provides a great service.

----
rich